[Snort-sigs] iroffer IRC P2P Bot signatures

Mister Coffee live4java at ...2599...
Tue Jun 29 08:31:03 EDT 2004


On Tue, Jun 29, 2004 at 09:47:28AM -0400, Kevin Kolk wrote:
> I have recently discovered several systems in one of the networks I
> manage that have had a variant of the iroffer (http://iroffer.org/)
<<snippage>
> common messages produced by the bot when connected to a channel with
> it.  Affected system will be the destination. 
> 
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help message";
> content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70
> 65 3A 20 22 2F 6D 73 67|"; rawbytes; depth:500; classtype:
> trojan-activity; sid:20046250;priority:1; flags:PA;)
> 
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files
> advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|";
> rawbytes; depth:500; classtype: trojan-activity;
> sid:20046251;priority:1; flags:PA;)
> 
> This could of course cause false positives if someone joined an IRC
> channel that had one of these bots in it.  However at this point I have
> not seen any.
> 
> Kevin

Also note that the bot is configurable for any valid IRC port.  While the default is 6667, many servers will listen in a broader range - 6660-6669 is not uncommon.  If configured as a trojan, the intruder may have set a different port.

Cheers,
L4J





More information about the Snort-sigs mailing list